>Any ideas? I work offsite from my company's main corporate offices. The office where I work does not allow any traffic in or out of their firewall without making a formal request to the IT department. I needed to find out what ports the Cisco VPN used, so I used Shorewall to help me figure it out. Here is what I did:
Just below the "SECTION NEW" in the rules file, I added this rule: REJECT:info loc:10.240.5.128 net 10.240.5.128 is the IP address of the system that is trying to connect using the Cisco VPN. I then restarted Shorewall and tried to connect with the Cisco VPN. With the above rule added, my log got several instances of the following message: Apr 18 10:07:34 server kern.info kernel: Shorewall:loc2net:REJECT:IN=br0 OUT=br1 PHYSIN=tap0 PHYSOUT=vlan1 SRC=10.240.5.128 DST=208.37.144.30 LEN=898 TOS=0x00 PREC=0x00 TTL=127 ID=30661 PROTO=UDP SPT=500 DPT=500 LEN=878 (You should probably ignore the PHYSIN=tap0 -- I conducted this testing over another VPN -- I used OpenVPN to connect from work to my home and then tried using the Cisco VPN client to connect to the corporate office through my home internet connection. The results would be the same if I had been in my home.) The "PROTO=UDP SPT=500 DPT=500" part of the log prompted me to add the following rule above my previous REJECT rule: ACCEPT:info loc:10.240.5.128 net UDP 500 I restarted Shorewall again and gave it another try. This time I received the following messages in my log file: Apr 18 10:11:07 server kern.info kernel: Shorewall:loc2net:REJECT:IN=br0 OUT=br1 PHYSIN=tap0 PHYSOUT=vlan1 SRC=10.240.5.128 DST=208.37.144.30 LEN=29 TOS=0x00 PREC=0x00 TTL=127 ID=33539 PROTO=UDP SPT=4500 DPT=4500 LEN=9 The "PROTO=UDP SPT=4500 DPT=4500" part of the log message indicated that I needed to change my accept rule to the following: ACCEPT:info loc:10.240.5.128 net UDP 500,4500 After restarting Shorewall, everything worked. I submitted a request to the IT department to allow outbound UDP ports 500 and 4500. Now I can connect directly without any trouble. >I have tried to remove shorewall from the equation by doing the >following with no luck. >sudo shorewall clear >sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j >MASQUERADE The above steps from your original post pretty much prove Shorewall can't be causing any problems, but you might want to try and use its logging facilities to help you track down if there is some other problem. Just an idea -Russel ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
